hmax

secure password retention/verification based on salted HMAC hashes with configurable prefixes and character encodings

Usage no npm install needed!

<script type="module">
  import hmax from 'https://cdn.skypack.dev/hmax';
</script>

README

HMax

a flexible library for secure password verification and retention based on salted HMAC hashes with configurable prefixes and character encodings

Getting Started

Install HMax:

npm install hmax --save

Overview

HMax can be used to generate or verify secure password hashes. You can specify the HMAC algorithm, number of iterations, salt value/character encoding, input prefix/encoding and output encoding. Of course the library provides intelligent defaults that are typically recommended, but the flexibility can be very useful when integrating or migrating from an external system. This library was heavily inspired by David Wood's password-hash npm module.

Examples

A password hash with default options:

var hmax = require('hmax');

// generate a password hash for the password 'Mellon'
var hash = hmax.generate('Mellon');
//-> {
//->   algorithm: 'sha1',
//->   iterations: 1,
//->   salt: { encoding: 'utf8', value: 'WCgN2E4g' },
//->   input: { prefix: '', encoding: 'utf8' },
//->   output: { encoding: 'hex', value: '4353f21329879b1768dcc2e35a137d0d605646fb' }
//-> }

// verify the password against the original hash
hmax.verify('Mellon', hash);
//-> true

// verify an invalid password against the original hash
hmax.verify('Mordor', hash);
//-> false

// encode the password hash for efficient transfer and storage
var encoded = hmax.encode(hash);
//-> 'sha1$WCgN2E4g$4353f21329879b1768dcc2e35a137d0d605646fb'

// decode the encoded password
var decoded = hmax.decode(encoded);
//-> {
//->   algorithm: 'sha1',
//->   iterations: 1,
//->   salt: { encoding: 'utf8', value: 'WCgN2E4g' },
//->   input: { prefix: '', encoding: 'utf8' },
//->   output: { encoding: 'hex', value: '4353f21329879b1768dcc2e35a137d0d605646fb' }
//-> }

// verify the password against the decoded hash
hmax.verify('Mellon', decoded);
//-> true

// verify an invalid password against the decoded hash
hmax.verify('Mordor', decoded);
//-> false

A password hash with fixed salt (yikes!), a custom input prefix/encoding and a custom output encoding:

var hmax = require('hmax');

// generate a password hash for the password 'Mellon'
var hash = hmax.generate('Mellon', {
  salt: { value: '36ae2f9afb', encoding: 'hex' },
  input: { prefix: 'Sindarin', encoding: 'utf16le' },
  output: { encoding: 'base64' }
});
//-> {
//->   algorithm: 'sha1',
//->   iterations: 1,
//->   salt: { encoding: 'hex', value: '36ae2f9afb' },
//->   input: { prefix: 'Sindarin', encoding: 'utf16le' },
//->   output: { encoding: 'base64', value: 'eIaOmtdv6eEP4iUhLw0egzBDAow=' }
//-> }

// verify the password against the original hash
hmax.verify('Mellon', hash);
//-> true

// verify an invalid password against the original hash
hmax.verify('Mordor', hash);
//-> false

// encode the password hash for efficient transfer and storage
var encoded = hmax.encode(hash);
//-> 'sha1|Sindarin|utf16le$36ae2f9afb|hex$eIaOmtdv6eEP4iUhLw0egzBDAow=|base64'

// decode the encoded password
var decoded = hmax.decode(encoded);
//-> {
//->   algorithm: 'sha1',
//->   iterations: 1,
//->   salt: { encoding: 'hex', value: '36ae2f9afb' },
//->   input: { prefix: 'Sindarin', encoding: 'utf16le' },
//->   output: { encoding: 'base64', value: 'eIaOmtdv6eEP4iUhLw0egzBDAow=' }
//-> }

// verify the password against the decoded hash
hmax.verify('Mellon', decoded);
//-> true

// verify an invalid password against the decoded hash
hmax.verify('Mordor', decoded);
//-> false

Contributing

In lieu of a formal styleguide, take care to maintain the existing coding style. Add unit tests for any new or changed functionality.

Release History

(Nothing yet)